In many systems, a key must be processed before it can be useful. For example, a public/private keypair must be processed before it can be used in Secure Socket Layer (SSL) or Transport Layer Security (TLS) communications. After a requestor generates the public/private keypair, the requestor then creates a certificate signing request that ties the public portion of the keypair to an identity such that a Certificate Authority is satisfied. The Certificate Authority, when satisfied with the identity of the requestor, sends back an identity certificate that has been signed by the Certificate Authority. The keypair and certificate are then installed on a system to service secure communication for the requestor. After installation, the keypair and certificate are ready for use and may be considered active.
Use of a single key for an extended period may not be advisable, as a key can become compromised. Key rotation and maintenance can allow administrators to reduce risk of system compromise by reducing the time that a compromised key may be actively used. For example, an administration team can choose to rotate a certificate used for communication over SSL. As many different systems are involved, an administration team may manually perform many steps and manually move information from one system to another. Tools, such as a keypair generator, may be used to aid during the key rotation. Once the administration is satisfied that all servers have the new certificate active, the key rotation may be considered completed. However, key rotation can be both a benefit and problem. Key rotation and maintenance can present security issues as manual intervention and internal and external systems may be involved. For example, keypair generation and installation of a certificate with a private key of the keypair requires access to the private key. If an administrative account is accidently compromised, the private key may be viewed and/or accessed. Similarly, mistakes may happen where a private key is improperly stored, generated or transmitted causing exposure of the private key.